<p>By default, S3 buckets can be accessed through HTTP and HTTPs protocols.</p>
<p>As HTTP is a clear-text protocol, it lacks the encryption of transported data, as well as the capability to build an authenticated connection. It
means that a malicious actor who is able to intercept traffic from the network can read, modify or corrupt the transported content.</p>
<h2>Ask Yourself Whether</h2>
<ul>
  <li> The S3 bucket stores sensitive information. </li>
  <li> The infrastructure has to comply with AWS Foundational Security Best Practices standard. </li>
</ul>
<p>There is a risk if you answered yes to any of those questions.</p>
<h2>Recommended Secure Coding Practices</h2>
<p>It’s recommended to enforce HTTPS only access by setting <code>enforceSSL</code> property to <code>true</code></p>
<h2>Sensitive Code Example</h2>
<p>S3 bucket objects access through TLS is not enforced by default:</p>
<pre>
const s3 = require('aws-cdk-lib/aws-s3');

const bucket = new s3.Bucket(this, 'example'); // Sensitive
</pre>
<h2>Compliant Solution</h2>
<pre>
const s3 = require('aws-cdk-lib/aws-s3');

const bucket = new s3.Bucket(this, 'example', {
    bucketName: 'example',
    versioned: true,
    publicReadAccess: false,
    enforceSSL: true
});
</pre>
<h2>See</h2>
<ul>
  <li> <a href="https://docs.aws.amazon.com/AmazonS3/latest/userguide/security-best-practices.html#transit">AWS documentation</a> - Enforce encryption
  of data in transit </li>
  <li> <a href="https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-fsbp-controls.html#fsbp-s3-5">AWS Foundational Security
  Best Practices controls</a> - S3 buckets should require requests to use Secure Socket Layer </li>
  <li> CWE - <a href="https://cwe.mitre.org/data/definitions/319">CWE-319 - Cleartext Transmission of Sensitive Information</a> </li>
  <li> <a href="https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.Bucket.html">AWS CDK version 2</a> - Bucket </li>
</ul>
